Customer responsibility documentation

[nikzei]

In order to help people understand what aspects of compliance are handled by cloud.gov and what is left to them, we want new and prospective users to be able to find information about which FISMA controls cg handles and which are left to them.

Acceptance criteria:

• I can find this information easily when I am looking for it
• I can tell how many controls cg is going to take care of for me relative to the non-cg case
• I can see the number of controls in each family that are taken care of by cg and the number that are in my domain of responsibility
• I can get more information about the specific controls
• I have advice for how I can comply with the remaining controls (this might split into a story in itself)

[brittag]

This might be good to file in cg-docs. Just in case it's helpful, additional context/resources for this item: the FedRAMP draft of this is in the second tab here, and @jezhumble has been working on a cloud.gov customer responsibility matrix for GSA compliance.

[brittag]

Noting for future work that there's some information related to this at https://docs.cloud.gov/intro/technology/responsibilities/

[nikzei]

That's great, @brittag. I'll cross reference this in #346 so that @jameshupp and @berndverst can consider incorporating this page into their website reorg sprint.

[afeld]

Here's the issue to be able to generate this list through Masonry: opencontrol/schemas#24

[brittag]

This is also related: cloud-gov/cg-site#327 ("Document the basics of how compliance works for products on cloud.gov").

[nikzei]

Skyporter is using this card to represent updating the customer responsibility matrix on the site.

We like the AC, but want to break them down: 1-3 as one story, 4 and 5 each their own story. cc: [@brittag - Britta Gustafson] and [@mogul - Bret Mogilefsky] [@jameshupp - James Hupp]

[brittag]

Cool! I'm not sure what prospective customers need from this right now - it might be that the CIS/CRM download at https://cloud.gov/overview/security/fedramp-tracker/#how-you-can-use-this + the FedRAMP Package Request Form is enough for them.

We did hear that current customers working on top of cloud.gov need more help with this - this came up in the Federalist ATO retro (https://docs.google.com/document/d/1tY56SdgNCNwOEABlhNOof_75LrZAP_OBOt6V2NJRPE4/edit + https://favro.com/card/1e11108a2da81e3bd7153a7a/18F-2925).

I suspect though that https://cloud.gov/overview/technology/responsibilities/ isn't serving readers very well right now to explain key aspects of platform vs customer responsibilities - I put some notes about that into https://docs.google.com/document/d/1nVCgwNdYO_IO_Vj-4FVeHWBlmLMrlOjXHmPghm0oObQ/edit?pli=1

[nikzei]

See: https://favro.com/card/1e11108a2da81e3bd7153a7a/18F-758 re: information around hardening.

[nikzei]

Allgress Regulatory Product Mapping mentioned by [@mogul - Bret Mogilefsky] in Slack: https://gsa-tts.slack.com/archives/cloud-gov-highbar/p1488259105001783; direct link: https://aws.amazon.com/blogs/aws/introducing-allgress-regulatory-product-mapping/

[nikzei]

This story needs to start with highbar - Skyporter is blocked until highbar has clarity around the specific information that we need to communicate.

[nikzei]

Related story: https://favro.com/card/1e11108a2da81e3bd7153a7a/18F-4002